[06:43:11] --- davemitton has joined
[06:53:09] --- daniel.mannarino has joined
[06:53:11] --- engel has joined
[06:53:49] --- engel has left
[06:54:08] --- engel has joined
[06:57:04] --- kenh has joined
[06:57:13] --- kenh has left
[06:58:17] --- artur has joined
[07:00:17] --- kenh has joined
[07:01:34] --- kenh has left
[07:01:43] --- corby has joined
[07:02:52] --- Melinda has joined
[07:02:52] --- jlcjohn has joined
[07:04:05] <artur> anyone doing the jabber scribe?
[07:05:46] --- daniel.mannarino has left: Replaced by new connection
[07:05:46] --- daniel.mannarino has joined
[07:10:34] --- corby has left: Replaced by new connection
[07:10:40] --- corby has joined
[07:10:46] --- corby has left
[07:10:59] <artur> anyone here who is not actually in the presentation? anyone wants a scribe?
[07:12:09] <daniel.mannarino> *poke jlcjohn*
[07:14:43] <jlcjohn> To tell truth, I'm following two groups: scribing would be helpful...
[07:15:18] <artur> i can try, but don't blame me
[07:15:31] <artur> EAP WG started
[07:15:55] <artur> Jari Arkko opens a general presentations, followed by the EAP Keying Issue discussion led by Joe Salowey
[07:15:57] <Melinda> Thanks, artur - I'm remote, too, and would like to follow
[07:16:32] <artur> several issues and related documents are being discussed. related docs: housley requirements, eap keying draft and eap key management issues
[07:16:52] --- jhutz has joined
[07:18:07] <artur> now discussing particular issues, as they are referenced on the WG page (B. Aboba's page). all presentations are on www.arkko.com/publications/eap/ietf-63
[07:19:08] <daniel.mannarino> In Powerpoint, apparently ::(
[07:19:15] <artur> apparently
[07:20:09] <artur> Hannes Tschofenig asks what the objective of the analysis of the issue 294 is. Joe replies that the objective is to understand the security properties respectively to the current usage
[07:21:06] <artur> Jari adds that the idea is to understand the well-know, widely deployed cases and to do analysis on these cases in order to be able to say what works and what doesn't in the most general cases
[07:21:29] <artur> the aim is not to cover ALL possible lower layers and to cover all possibilities
[07:23:32] <artur> issue 294 is to analyzze 802.1X, PPP and 802.11i as typical usage scenarii
[07:23:51] <artur> now coming to issue 299: key caching
[07:24:13] <artur> internal EAP method keys may be cached (fast reconnect, etc)
[07:24:54] <artur> AAA-key and TSK caching happens in the lower layer
[07:25:45] <artur> definition and naming issues here. generally: if these keys are so low-layer, why treating them in EAP/AAA?
[07:25:51] <artur> (joe's presenting)
[07:26:07] <artur> EMSK/AMSK caching is a possible future extension
[07:26:31] --- corby has joined
[07:26:46] --- aibo7 has joined
[07:27:08] <artur> the proposal is to think about it later but not to treat this latter caching in the current keying document
[07:28:10] --- tanupoo has joined
[07:28:36] <artur> coming to the next issue - issue 302, domino effect
[07:29:58] <artur> recent discussions on the list show that the compromise scope is not clearly defined, the requirements are unclear
[07:30:10] <artur> what is compromised?
[07:30:38] <artur> what is compromised as a result?
[07:31:06] <artur> stay within the system definitions (don't treat outer issues - emailed password compromise, etc.)
[07:31:29] <artur> Jari argues that we probably have to specify this per entity in the system definition
[07:32:19] <artur> Alper Yegin asks if housley requirements will become normative
[07:33:44] <artur> (correction: the first remark above did not come from Hannes but from Alper. sorry)
[07:35:00] <artur> Jari proposes that Alper takes the housley text and checks it for general applicability to the EAP keying hierarchy to get it more precise in terms of the EAP WG objectives
[07:35:25] <artur> coming to next issue: 307 deletion of the security requirements section
[07:35:35] <artur> no comments
[07:35:47] <artur> issue 279: additional keying protocol requirements
[07:37:52] <artur> Jesse Walker has submitted a list of requirements, needs to be analysed
[07:38:05] <artur> Jesse will take this task (is not present)
[07:38:32] <artur> Now coming to next steps
[07:39:39] --- engel has left: Replaced by new connection
[07:39:40] --- engel has joined
[07:39:48] <artur> the document still needs some work to be done
[07:39:55] <artur> (version -08)
[07:40:30] <artur> form and design issues
[07:40:50] <artur> version 09 in approx. 6 weeks
[07:40:51] --- rbless has joined
[07:41:08] <artur> final draft for IETF 64
[07:41:24] <artur> last call will be scheduled for version 09
[07:42:10] <artur> housley-document: needs a review, issue resolving. extensions after IETF 64
[07:42:18] <artur> now coming to the next TOPIC
[07:42:22] <artur> -----------
[07:42:29] <artur> Channel binding issues
[07:43:17] <artur> presented by Yoshihiro Ohba (Yoshi)
[07:44:25] <artur> background: each lower layer carries its own parameters. these need to be bound to the AAA-key.
[07:45:06] <artur> if not done: security flaws (refer to WG documents/drafts for more info)
[07:45:25] <artur> currently: binding is done in the EAP method
[07:47:47] <artur> EAP-server is involved in the verification process. decisions of correct binding are done by the lower layer entities.
[07:48:08] <artur> this should be done transparently for any lower layer
[07:48:19] <artur> -> key binding blob
[07:48:38] <artur> an octet-string carrying lower layer parameters that need to be bound
[07:49:30] <artur> EAP peer and EAP authenticator generate a key binding blob
[07:50:27] <artur> EAP server is verifying the received blobs
[07:51:37] <artur> works for both colocated and separated server/authenticator (please refer to Yoshi's slides for verification - there are schemes and images)
[07:51:55] <artur> (www.arkko.com/publications/eap/ietf-63)
[07:52:29] <artur> anywas, AAA-Key is derived as a function of the blobs
[07:52:38] <artur> and not as today, as a part of the MSK
[07:53:22] <artur> treatment of the legacy cases: authentication must fail in some cases
[07:53:38] <artur> comparison:
[07:53:47] <artur> pros: the authenticator does not need to be changed
[07:53:53] <artur> (pass-through mode)
[07:54:01] <artur> cons:
[07:54:16] <artur> EAP methods must carry lower layer parameters
[07:54:27] <artur> not needed in case of a standalone EAP authenticator
[07:54:41] <artur> (that's about the existing solution)
[07:54:46] <artur> proposed solution:
[07:54:50] <artur> Pros:
[07:54:59] <artur> No need to change the existing EAP methods
[07:55:17] <artur> transparent operation for both standalone and pass-through authenticators
[07:55:24] <artur> robust
[07:55:37] <artur> yoshi opens the discussion
[07:55:45] <artur> (missed some cons here)
[07:56:19] <artur> Cons (update): it needs changes to the existing authenticators
[07:56:42] <artur> Pasi Eronen asks if that means that all 802.11 APs must be changed/updated?
[07:57:04] <artur> Yoshi confirms this, but adds that the legacy could be used in conjunction with the new proposal
[07:57:49] <artur> John Vollbrecht argues that there is a naming confusing with EAP lower layer, refering to Yoshis slides
[07:58:02] <artur> -confusing/+consusion
[07:58:11] <artur> confusion, sorry :-)
[07:59:14] <artur> Joe Salowey: the new method requires many changes to the existing implementations
[07:59:29] <artur> maybe in the future it would be interesting
[08:00:27] <artur> John Vollbrecht thinks it's a good idea, but the question is if it's the right topic for the EAP WG -> if it is outside the EAP layer, then the requirement should be perhaps added to the russ housley AAA requirement document
[08:01:21] <artur> Joe agrees with John that "channel binding" is a strange name.
[08:03:01] <artur> Glen Zorn argues that EAP keying framework is confusing anyway:
[08:03:26] <artur> keying is not part of EAP, it's only an accompanying effect
[08:03:47] <artur> it's just a side-effect of the EAP authentication
[08:04:35] <artur> Pasi Eronen agrees that we have the naming issues: talking about EAP system, etc.
[08:05:08] <artur> coming to the next topic
[08:05:32] --- jhutz has left
[08:05:35] <artur> Method discussion; 40 min
[08:05:42] <artur> 1. EAP PSK
[08:06:56] <artur> last version reviewed by Jesse Walker
[08:07:17] <artur> requested EAP method type number allocation
[08:08:05] <jlcjohn> Is there a slide-set?
[08:08:13] <artur> should be on www.arkko.com/publications/eap/ietf-63
[08:08:37] <artur> review issues:
[08:09:00] <jlcjohn> Um... which file?
[08:09:02] <artur> AK/KDK derivation taking party identity into account (to achieve key separation)
[08:09:15] <artur> sorry, no idea - EAP PSK something?
[08:10:06] <artur> second issue: mutual authentication is flawed
[08:11:16] <artur> EAP-PSK is a cut and paste from AKEp2
[08:11:31] <daniel.mannarino> Can't figure out which file this is
[08:11:49] <artur> (personally, i can't even connect to the site)
[08:12:36] <artur> RAND_P and KDK are used in the TEK, MSK and EMSK derivation
[08:12:38] <jlcjohn> (I don't suppose anybody has the nerve to ask?)
[08:12:56] <artur> the discussion is going on for the moment
[08:14:22] <artur> (don't think the slides are up)
[08:14:26] <artur> (just checked)
[08:14:40] <jlcjohn> Thx
[08:15:21] <artur> next topic
[08:15:40] <artur> EAP-IKEv2 (pasi eronen)
[08:15:53] <artur> - document far from ready
[08:17:26] <artur> examples: fragmentation
[08:18:00] <artur> fast reconnect (key choice)
[08:18:27] <artur> several other issues - refer to the slides
[08:18:55] <artur> (UPDATE on the EAP PSK slides: just asked the author - the slides have not yet been uploaded by Jari. will be done lataer)
[08:19:44] --- lixia has joined
[08:22:20] <artur> Hannes Tschofenig has a question about the EAP IKEv2 status versus Channel Binding (not sure to have understood this one correctly)
[08:23:38] <artur> Coming to EAP Smartcard
[08:23:56] <artur> Presentation by Pascal Urien, reviewed by Glen Zorn
[08:26:31] <artur> (please refer to the slides)
[08:27:01] <jlcjohn> ietf63_eap_sc_type_urien.ppt, right?
[08:27:43] <artur> (yes, exactly)
[08:30:15] <artur> Pascal is discussing the points raised by Glen in his review, \ref slides
[08:30:35] <artur> (the slides are very informative on that)
[08:31:31] <artur> Glen confirms that it is principally a multiplexing method. there are no security properties - since it is only multiplexing
[08:32:11] <artur> Glen argues that EAP-SC does not prove that the packets come from a particular smartcard (by some crypto-method etc.)
[08:33:27] <artur> Pascal says that in the case of EAP TLS run from the smartcard, this is actually the case. Jari proposes to take this discussion to the list
[08:33:51] <artur> Glen still adds that the method simply does not need any security considerations. Pascal principally agrees.
[08:33:56] <artur> coming to the next topic
[08:34:08] <artur> Hannes Tschofenig, EAP Double TLS
[08:35:00] <artur> please refer to slides ietf63_eap_double_tls_hannes.ppt
[08:40:38] <artur> Pascal makes comments on Double TLS usage issues
[08:40:48] <artur> next topic
[08:40:51] <artur> EAP PAX
[08:41:46] <artur> Charles Clancy
[08:43:07] <artur> question is if it should go to EAP or SECMECH
[08:43:20] <artur> has allocated EAP type 46
[08:43:28] <artur> coming to the next topic
[08:43:37] <artur> finished EAP methods
[08:43:53] <artur> John Vollbrecht, Trusted Computing Group, TNC
[08:44:28] <artur> idea: platform integrity
[08:44:48] <artur> check the CLIENT state before allowing access to the network
[08:44:49] <artur> quarantine
[08:45:10] <artur> TNC is considering implementation of a new EAP method
[08:45:21] <artur> an inner method carried by an outer method
[08:45:27] <artur> the method may run with other methods.
[08:50:18] <artur> john presents the TNC architecture and shows where EAP could be used as an implementation of the interface protocol
[08:57:11] --- rbless has left
[08:59:38] <artur> issues with outer/inner EAP methods
[08:59:42] <artur> no standard outer method exists
[09:00:27] <artur> keying requirements of inner methods + validating by the outer method (cryptobinding)
[09:00:47] <artur> - include in the key framework as an extension?
[09:01:02] <artur> sequencing inner methods?
[09:01:46] <artur> liason of TNG with IETF requested
[09:01:48] <artur> questions
[09:01:51] --- lixia has left: Disconnected
[09:02:20] <artur> Pasi Eronen: sounds interesting, inappropriate without EAP WG participation
[09:02:39] <artur> need access to the TCG documents
[09:02:45] <artur> -> difficult
[09:04:05] <artur> AVPs/TLVs (outer method issue raised before): EAP method obviously does not define sequencing and behavior in that case. also AVP/TLV interpretation/standardization is difficult because the vendors do not want it
[09:04:38] <artur> Hannes Tschofenig: does not the idea of standardizing ONE outer method. till now: free choice of the outer method
[09:04:48] <artur> efficiency issues with tunneled methods
[09:05:18] --- corby has left: Disconnected
[09:05:25] <artur> John Vollbrecht basically agrees that it would be a new requirement
[09:05:51] <artur> Alper Yegin says that 802.16 allows two subsequent EAP sessions (if i understood this correctly)
[09:06:30] <artur> Glen Zorn argues that it is specifically forbidden to make EAP sequencing
[09:06:43] <artur> by the newer EAP standard, apparently
[09:06:57] <artur> John agrees with Glen
[09:07:29] <artur> update on Alper's comment: 802.16e security
[09:07:39] <artur> coming to the next topic
[09:08:07] <artur> EAP enrollment Method - Rohan Mahy
[09:09:57] <artur> observation: small wireless devices are a pain to enroll onto WLANs
[09:10:17] <artur> ex. typing 802.1X credentials into a Wifi phone
[09:10:56] <artur> idea: start with weak convenient temporary credentials and bootstrap once to strong permanent credentials
[09:11:41] <artur> example of complexity hierarchy: EAP TLS, WPA Enterprise with PEAP shared key, WPA PSK
[09:11:51] <artur> (or WPA2)
[09:12:19] <artur> use existing methods to a get a secure channel and to authenticate the server (EAP-TTLS e.g.)
[09:12:43] <artur> no new crypto or key derivation methods
[09:12:55] <artur> emphasis on semantics needed to get strong credentials to the device
[09:13:51] <artur> Hannes comments:
[09:14:03] <artur> - everybody probably has already had some similar thoughts
[09:15:55] <artur> - EAP applicability question
[09:16:01] <artur> (Alper seems to agree)
[09:16:52] <artur> the problem seems to come down to always the same problem: we need some parameters for bootstrapping - sounds similar to TNG presentation by John Vollbrecht
[09:17:22] --- aibo7 has left
[09:17:49] <artur> Glen argues that it would need outer method standardization
[09:19:07] <artur> argumentation about MitM attacks
[09:19:22] <artur> the discussion gets techical, Jari wants this on the list
[09:20:33] <artur> EAP WG meeting finished
[09:20:38] <artur> thanks for listening
[09:21:05] --- davemitton has left
[09:21:16] --- engel has left
[09:24:36] <artur> http://eappsk.chez.tiscali.fr//PreSharedKeyEAPMethods-EAP-PSK-draft08.pp
[09:24:40] <artur> the PSK slides
[09:27:55] --- daniel.mannarino has left: Disconnected
[09:33:53] --- aibo7 has joined
[09:34:04] --- Melinda has left
[09:34:48] --- tanupoo has left: Disconnected
[09:42:30] --- artur has left: Disconnected
[10:04:59] --- aibo7 has left: Disconnected
[10:40:15] --- artur has joined
[10:42:39] --- artur has left
[10:44:04] --- tanupoo has joined
[10:44:25] --- tanupoo has left
[11:26:41] --- jlcjohn has left